Method and device for implementation of a firewall application for communication data

ABSTRACT

In one aspect a method for implementation of a firewall application is provided, whereby, in one step of the initiation of a connection from the first to the second terminal, authentication of the first terminal is transmitted and, after successful authentication a selected address is communicated to the firewall device. In another aspect, an arrangement for carrying out the method is provided.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is the US National Stage of International ApplicationNo. PCT/DE02/03351, filed Sep. 10, 2002 and claims the benefit thereof.The International Application claims the benefits of German applicationNo. 10147147.5 DE filed Sep. 25, 2001, both of the applications areincorporated by reference herein in their entirety.

FIELD OF INVENTION

The invention relates to a method for implementing a firewallapplication for communication data transmitted between terminal devicesaccording to the preamble of claim 1 and an arrangement for performingthe method.

BACKGROUND OF INVENTION

Methods for security checking of transmitted communication data areoften referred to as “firewalls”. These are methods and devices whichare aimed at preventing unauthorized access to data and in particular atpreventing the introduction of computer viruses.

Firewalls are frequently deployed at the boundaries of two adjacentcommunication networks in order to preclude from the outset theinfiltration of computer viruses into, for example, a privatecommunication network of the “LAN” type (LAN: Local Area Network).Firewalls of this kind have the disadvantage that they cannot processcommunication data which is transmitted in the context of Internettelephony, based on the Voice-over-IP principle, between two terminaldevices disposed in different communication networks on account of adynamically assigned address of the terminal devices involved.Accordingly the transmitted communication data is not reliably checkedwith regard to its content for the presence of computer viruses.

In Internet telephony, IP addresses are assigned only temporarily, inother words dynamically, by the Internet Service Providers (ISPs), whichis why the IP addresses must be exchanged first before a connection isestablished via the Internet. However, a firewall device disposedbetween the communication networks is usually designed to recognizestatic IP addresses, in other words addresses which do not changetemporarily.

International standards, specifically the H.323 or SIP standard, werecreated in order to enable video and audio data to be detected,transmitted and processed further in the context of Internet telephonyor a multimedia conference via the Internet. This standard uses theprotocols known from the Internet, such as UDP (User Data Protocol) andRTP (Real-Time Protocol). These protocols are used to transportdatagrams by means of which the audio and video data is transmitted overthe Internet.

Specified among other things in this standard is that telephone callsbased on Voice-over-IP may consist of a number of connections,specifically the signaling, control protocol and user data connections.For these connections, the port numbers, which may only be valid for theduration of a single call, must be re-determined for each further call.These dynamically determined port numbers lead to further problems inthe processing of the data by the firewall device, which is usuallygeared to the recognition of statically determined port numbers.

SUMMARY OF INVENTION

Accordingly the object of the present invention is to provide a methodfor implementing a firewall application for communication datatransmitted between communication networks also for Internet telephonyand Internet multimedia connections, and an arrangement for performingsaid method.

This object is achieved in respect of the method and the deviceaccording to the features of independent claims.

A significant point of the invention is that by means of what is calleda look-ahead mechanism, prior to the actual connection setup between twoterminal devices, a security check by a network interworking devicewhose IP address is known takes place in order subsequently, following asuccessful check, to activate a firewall device for the connectionsetup. For this purpose, in a first step to initiate a connection fromthe first to the second terminal device, authentication data forauthentication of the first terminal device is sent via a first networkinterworking device to a second network interworking device which isdisposed in the second communication network. In a second step,following successful authentication of the first terminal device, thenetwork interworking device activates the firewall device for a selectedfurther IP address of the signaling data of the authenticated terminaldevice or a gatekeeper.

In this way the firewall device can also recognize IP addresses for thesetting up of a multimedia connection or an Internet telephoneconnection which are assigned on a time-limited basis. A security checkof the data transmitted for these connections is therefore possible bymeans of a firewall device which constantly resets itself. Furthermore,as well as the agreement on a new IP address, the firewall device canalso be set to and activated for new port numbers.

For the purpose of the ensuing connection setup, in a step involving thetransmission of a message from the second to the first networkinterworking device, the new address is communicated for thetransmission of signaling data. The first network interworking devicethen communicates the new address to a first gatekeeper.

Following this, a connection setup request can be signaled by the firstterminal device via a first gatekeeper and the firewall device of thesecond network interworking device. The signaling data is checked forviruses by the firewall device and if verified as being in a virus-freestate, is then forwarded to the second terminal device. Followingsuccessful agreement between the two terminal devices and a confirmationmessage from the second to the first terminal device for the acceptanceof the call, an activation message for enabling the firewall device foruser data of the first and second terminal device is sent from thesecond network interworking device to the firewall device. In this waythe corresponding port numbers are activated at the firewall device forthe transmission of user data, such as, for example, voice data.

A dynamic adaptation of the firewall device to the individual call isalso assured during the self-adjustment to new port numbers.

Advantageously, in an arrangement for performing the method with thefirewall device, the first and second terminal device and the firstnetwork interworking device, a second network interworking device isdisposed with a known address for carrying out an authentication on thebasis of authentication data transmitted by the first terminal deviceand for sending a selected further address of the first terminal deviceto the firewall device for activating said device for the signaling datato be sent from the first to the second terminal device.

The arrangement additionally comprises, preferably in the second networkinterworking device, an activation device for activating the firewalldevice for signaling data and/or user data. Following the activation ofthe ports responsible for the signaling data, the ports responsible forthe user data are activated.

BRIEF DESCRIPTION OF DRAWING

Further advantageous embodiments are derived from the subclaims. Inaddition, advantages and beneficial uses can be derived from thefollowing description in connection with the FIGURE. The latter shows aschematic representation of an embodiment of the method according to theinvention with device aspects.

DETAILED DESCRIPTION OF INVENTION

The embodiment shown in the FIGURE represents in schematic form withreference to individual device aspects an Internet telephone call, basedon the Voice-over-IP principle, between two communication networks, ineach of which there is disposed a terminal device. The user of a firstterminal device 1 would like to conduct an Internet telephone call withthe user of a second terminal device 2. The first terminal device 1 isdisposed in a first communication network 3, which represents aVoice-over-IP carrier network 3, while the second terminal device 2 isdisposed in a local area network (LAN) 4.

In the steps S1, S2 and S3, a connection setup request is sent by thefirst terminal device 1 via a gatekeeper 5 and a first networkinterworking device 6 for the purpose of initiating a connection to asecond network interworking device 7. A look-ahead mechanism of thiskind between the first terminal device 1, the first gatekeeper 5 and thefirst network interworking device 6 in the first communication network 3on the one side and the second network interworking device 7 in thesecond communication network 4 on the other side is effected accordingto an H.225.0 Annex G standard, the associated protocol of which takesinto account the known port numbers.

During this connection initiation period, authentication data toauthenticate the first terminal device is sent with or without promptingby the first terminal device to the second network interworking device 7in order thereby to enable a check to be made on the user calling fromoutside the LAN, said user using the first terminal device. Theexclusion of calling terminal devices which are not authorized isperformed here according to various previously stored criteria.

Provided the identity of the calling terminal device was successfullyestablished and its authorization to conduct an Internet call withdevices inside the second communication network 4 is present, in step S4a message containing a second address of the signaling data of the firstterminal device or the first gatekeeper 5 is sent by the networkinterworking device 7 to a firewall device 9 in order to activate thefirewall device 9 for this newly to be assigned address. The sending ofa message of this type is initiated by a Firewall Control Interface(FCI) disposed in the second network interworking device 7.

Following successful authentication, an Access Confirm message is sentby the second network interworking device 7 by means of the H.225.0Annex G protocol to the first network interworking device 6 and on tothe first gatekeeper 5, by means of which Access Confirm message the IPaddress of, for example, the second network interworking device 7 andthe port numbers assigned to the future call are communicated. Thesending of an Access Confirm message of this kind from the second to thefirst network interworking device 6 can likewise take place prior to thestep of sending the message from the second network interworking device7 to the firewall device 9, by means of which message the newly assignedaddress is communicated to the firewall device.

In the following step S5, the actual setup of the call from the first tothe second terminal device is performed via the first gatekeeper 5, thefirewall device 9, the network interworking device 7 and the secondgatekeeper 8. For this purpose, a SETUP mess age is sent by the firstterminal device 1 to the second terminal device 2 according to theH.225.0 standard. The SETUP message is routed via a signaling gatewaywhich is set up as a function within the second network interworkingdevice (border proxy) in order to ensure that the signaling data isconverted to the requirements of the new communication network 4 for thedata. This SETUP message can pass the firewall device 9 because thecorresponding ports were activated in step S4.

In a step S6, a confirmation message is sent in the form of an ALERTmessage for a completed connection setup to the second terminal deviceby the second terminal device via the second network interworking device7, the firewall device 9 and the gatekeeper 5 to the first terminaldevice 1. In a step 7, the FCI disposed in the second networkinterworking device 7 then sends an activation signal to the firewalldevice 9, by means of which activation signal the corresponding portnumbers open in order to receive future user data (voice data) for thefirst and the second terminal device. Voice data can now be transmittedfrom the first terminal device 1 to the second terminal device 2 via thefirewall device 9 (step S8).

The transmission of the authentication data in steps S1-S3 can be basedon a PKI encryption method (PKI: Private/Public Key Interface) whichmakes it virtually impossible for another external user who is notauthorized to masquerade as an authorized user.

As an alternative to the H.323 and H.225 Annex G protocols use d, SIPprotocols can be used for performing the method according to theinvention. In this protocol the H.225.0 SETUP call setup message isreplaced by the SIP INVITE message. Any other suitable protocol, inparticular to replace the H.225.0 Annex G protocol, is also possible.

The functions FCI and checking of the authentication data (borderelement) can be disposed either within a network interworking device(border proxy) together with the second gatekeeper 8 on a commoncomputer or independently of them in separate devices.

The method according to the invention can be implemented between aprivate network (LAN) and a carrier network, between two privatenetworks or between two carrier networks. In addition to Internettelephony, its application to multimedia Internet connections is alsopossible.

The embodiment of the invention is not restricted to the exampledescribed and aspects highlighted above, but within the frame ofreference of the claims is equally possible in a plurality of variationswhich lie within the scope of action by persons skilled in the art.

1. A method for implementing a firewall application for communicationdata transmitted between terminal devices, comprising: disposing a firstterminal device and a first interworking device in a first communicationnetwork; disposing a second terminal device and a second interworkingdevice in a second communication network; initiating a data connectionbetween the first terminal device and the second terminal device;sending data for authenticating the first terminal device from a firstinterworking device to a second interworking device with a knownaddress; authenticating, by the second interworking device, that thefirst terminal is authorized to communicate with the secondcommunication network; and in response to the first terminal beingauthorized: communicating, by the second interworking device, a furtheraddress to a firewall device, the further address is selected from anaddress of the first terminal device and the address of a firstgatekeeper connected to the first terminal device; and activating thefirewall device to allow signaling data to be sent by the first terminaldevice via the firewall device to the second terminal device.
 2. Themethod according to claim 1, further comprising sending the furtheraddress from the second interworking device to the first interworkingdevice.
 3. The method according to claim 2, wherein the further addressincludes an IP address and a port number.
 4. The method according toclaim 2, further comprising sending a call setup up message from thefirst terminal device to the second terminal device via the firstgatekeeper, the firewall device, the second interworking device and asecond gatekeeper.
 5. The method according to claim 4, wherein the callsetup is performed by sending a SETUP message or an SIP INVITE message.6. The method according to claim 4, further comprising a confirmationmessage to confirm the acceptance of the call setup is sent from thesecond terminal device to the first terminal device by including thefurther address in the confirmation message.
 7. The method according toclaim 1, further comprising sending from the second network device anactivation message to the firewai1 device in order to activate thefirewall device for user data.
 8. The method according to claim 1,wherein the authentication data is transmitted using a Private/PublicKey Interface (PKI) encryption.
 9. The method according to claim 1,wherein the communication data is transmitted via Internet telephony orInternet multimedia connections.
 10. The method according to claim 2,wherein the authentication is based on the sent data and criteria storedin the second interworking device.
 11. The method according to claim 4,wherein the first interworking device is bypassed in sending the callsetup message.
 12. The method according to claim 6, wherein theconfirmation is embodied as an ALERT message.
 13. A firewall arrangementfor communication data transmitted between terminal devices, comprising:a firewall device disposed between a first communication network and asecond communication network; a first terminal device disposed in thefirst communication network; a second terminal device disposed in thesecond communication network; a first interworking device disposed inthe first communication network; and a second interworking device with aknown address for: performing an authentication on the basis ofauthentication data transmitted by the first terminal device, whereinthe authentication determines if the first terminal is authorized tocommunicate with the second communication network, and sending, by thesecond interworking device, a further address of the second terminaldevice to the firewall device for activating the firewall device toallow signaling data to be sent from the first terminal device to thesecond terminal device via the firewall device, wherein the sending isin response to the first terminal being authorized to communication withthe second communication network.
 14. The firewall arrangement accordingto claim 13, wherein an activation device for activating the firewalldevice is used for signaling data and/or user data.
 15. A method forimplementing a firewall application for communication data transmittedbetween terminal devices, comprising: disposing a first terminal deviceand a first interworking device in a first communication network;disposing a second terminal device and a second interworking device in asecond communication network; receiving data by a second interworkingdevice with a known address, the data for determining if the firstterminal device is authorized to communicate with the secondcommunication network; activating, by the second interworking device,the firewall device to accept signaling data from the first terminaldevice, the activation via a firewall control interface and in responseto the first terminal being authorized to communicate with the secondcommunication network; receiving signaling data from the first terminaldevice by the firewall device, the signaling data in the form of a callsetup up message; and accepting the signaling data by the firewall inresponse to the firewall being activated to accept the signaling data bythe first terminal device.
 16. The method according to claim 15, furthercomprising forwarding the call setup up message to the second terminalin response to the signaling data being accepted by the firewall. 17.The method according to claim 16, wherein a confirmation message is sentfrom the second terminal device to the first terminal device.
 18. Themethod according to claim 17, further comprising activating the firewalldevice to accept user data from the first terminal device, theactivation via the firewall control interface.
 19. The method accordingto claim 18, further comprising: receiving user data from the firstterminal device by the firewall device; and accepting the user data bythe firewall in response to the firewall being activated to accept theuser data by the first terminal device.